[BreachExchange] Murky Details Surround Bed, Bath and Beyond Breach

[Destry Winant]

https://threatpost.com/murky-details-bed-bath-beyond-breach/149691/

The housewares giant disclosed a breach with few details– but security
researchers have some theories.

Housewares and home furnishings purveyor Bed, Bath and Beyond has
disclosed a data-thieving cyber attack that allowed the adversaries to
access customers’ online accounts.

According to a Tuesday SEC filing, the company “discovered that a
third party acquired email and password information from a source
outside of the company’s systems which was used to access … customers’
online accounts.”

The retailer sent out notifications on Tuesday to affected shoppers,
who collectively represent less than 1 percent of the company’s online
customer accounts, it said. The company, which receives about 4
million website visitors per month, didn’t put a solid number around
the number of those impacted.

Other details are scant, but Colin Bastable, CEO of security training
and awareness company Lucy Security, said that he believed the short
statement indicates a supply-chain attack vector, rather than someone
managing to find a set of internal administrative credentials for the
company.

“Our Lucy analysts say that a quick look on the Dark Web shows only
one recent potential exposure of a Bed Bath & Beyond employee’s
credentials, first spotted back in June — a person in HR with a
supposed credential associated with a purported company email
address,” he said in an email. “The most likely point of entry is
through a third-party supplier of services to the company, and the
odds are over 90 percent in favor of the attack being initiated by a
phishing email, perhaps a spoof email, one that appears to be from
someone else.”

Javvad Malik, security awareness advocate at KnowBe4, had a different theory.

“It’s currently unclear as to exactly how the attack against Bed Bath
& Beyond was perpetrated. But going on the limited information, it
could be that an employee had reused their corporate credentials which
were subsequently compromised,” he said.

While Bed Bath and Beyond, which also owns the brands Christmas Tree
Shops, Cost Plus World Market, and buybuy Baby, among other
businesses, did say that payment cards weren’t impacted, the filing is
unclear as to what other information was obtained; if attackers were
able to access online accounts, that could in theory include order
histories and the like.

“Attackers do not discriminate against the size or type of company,
customer data is valuable all the same regardless of the source,”
Malik said. “This data is not just restricted to financial data — but
personal data is also equally valuable to criminals, and in some
cases, even more so.”

Bastable said that even if only emails were in the cache of accessed
data, the risk of follow-on attacks is real.

“The bad guys don’t need a password to phish you, just a valid email,”
he explained. “How do they know that the next marketing email is
really from Bed Bath and Beyond? Phishing attacks can keep coming over
the next several years. The message to all consumers is – you may
trust your favorite online store’s security, but you don’t know who
they allow to have access to your data. Don’t recycle passwords with
online shopping sites.”

According to a report on stolen credentials and Fortune 500 companies
from ImmuniWeb released this week (Bed, Bath and Beyond is No. 258 on
the Fortune list), millions of stolen corporate credentials available
in the Dark Web are exploited by cybercriminals for spearphishing and
password re-use attacks.

ImmuniWeb’s analysis of the quality and quantity of stolen credentials
accessible on the Dark Web found there to be over 21 million
(21,040,296) credentials belonging to Fortune 500 companies, amid
which over 16 million (16,055,871) were compromised during the last 12
months. As many as 95 percent of the credentials contained
unencrypted, or bruteforced and cracked by the attackers, plaintext
passwords.

The most common sources of the exposures and breaches were third
parties (e.g. websites or other resources of unrelated organizations);
trusted third parties (partners, suppliers or vendors); and the the
companies themselves (e.g. their own websites or in-house other
resources).

Both the amount of reported data breaches and the number of records
exposed therein spiked by over 50 percent during the Q1 2019 compared
to the previous year, according to earlier research from Risk Based
Security — resulting in 4,000 breaches exposing over 4 billion
compromised records.